search cancel

High CPU usage in the DLP Detection Server and the DetectionServerContentExtractionTemporary folder is filling up

book

Article ID: 174425

calendar_today

Updated On:

Products

Data Loss Prevention Enforce Data Loss Prevention Network Discover Data Loss Prevention Endpoint Discover Data Loss Prevention Core Package Data Loss Prevention Enterprise Suite Data Loss Prevention Network Monitor Data Loss Prevention Data Loss Prevention Network Monitor and Prevent for Email and Web

Issue/Introduction

There is high CPU usage and a build-up of TMP files in the Data Loss Prevention Server, at the following location:

C:\users\<User Name>\appData\Local\Temp \DetectionServerContentExtraction\KP_xxxxxxxxxxxx (TMP Files)

This may occur after an upgrade.

Cause

By default, the ContentExtraction.TemporaryDirectory is not set in advanced settings. Therefore, the system creates a subdirectory with a prefix name "DetectionServerContentExtractionTemporary"

This incorrectly uses the mktemp api in Java to create the directory and passes on the name.

In some cases, such as with Network Monitor, the issue can prevent FileReader from starting.

Environment

DLP versions prior to 15.8.

Resolution

  1. From the Enforce server, open the Detection Server, click on the Server Settings button, and scroll down to the "ContentExtraction.TemporaryDirectory" field.
  2. In the field, enter "C:\temp\TempCEHFiles".
  3. Restart the Detection Server Monitor service.
  4. On the Detection Server, remove/delete the DetectionServerContentExtraction folder.

This issue will be fixed in a future DLP release (most likely Orion, as per Etrack).

Additional Information

If FileReader is not starting, the issue is accompanied by the following:

  • In the Enforce console the detection server shows as "Running Selected," as the FileReader is unable to start
  • In the Enforce console, the detection server may reflect an error event code "2800" "Bad spool directory configured for Packet Capture"
  • Pulling logs from the detection server, the FileReader logs contain the following entries:
Date: 3/12/2020 4:01:12 PM
Class: com.vontu.messaging.FileReaderSetup
Method: initialize
Level: SEVERE
Message:  (DETECTION.3) Failed to initialize Detection
java.lang.RuntimeException: Failed to create content extraction service temporary directory
at com.vontu.cracker.jni.EngineContext.setupTemporaryDirectory(EngineContext.java:62)
at com.vontu.cracker.jni.EngineContext.<init>(EngineContext.java:86)
at com.vontu.cracker.NativeExtractionEngine.<init>(NativeExtractionEngine.java:82)
at com.vontu.cracker.NativeExtractionEngine.<init>(NativeExtractionEngine.java:43)
at com.vontu.detection.ExtractionEngineFactoryLoader.loadExtractorFactory(ExtractionEngineFactoryLoader.java:39)
at com.vontu.messaging.FileReader.initializeContentExtractionServices(FileReader.java:620)
at com.vontu.messaging.FileReader.start(FileReader.java:390)
at com.vontu.messaging.FileReaderSetup.initialize(FileReaderSetup.java:105)
at com.vontu.messaging.FileReader.main(FileReader.java:297)
Caused by: java.nio.file.AccessDeniedException: /opt/Symantec/DataLossPrevention/DetectionServer/15.5/Protect/bin/TempCEHFiles
at sun.nio.fs.UnixException.translateToIOException(UnixException.java:84)
at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:102)
at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:107)
at sun.nio.fs.UnixFileSystemProvider.createDirectory(UnixFileSystemProvider.java:384)
at java.nio.file.Files.createDirectory(Files.java:674)
at java.nio.file.Files.createAndCheckIsDirectory(Files.java:781)
at java.nio.file.Files.createDirectories(Files.java:767)
at com.vontu.cracker.jni.EngineContext.setupTemporaryDirectory(EngineContext.java:58)
... 8 more
Date: 3/12/2020 4:01:12 PM
Class: com.vontu.logging.LocalLogWriter
Method: write
Level: SEVERE
Message:  File Reader failed to start. Error starting File Reader. Failed to create content extraction service temporary directory No incidents will be detected.

 

Resolution:

Instead of only putting TempCEHFiles, please create a directory with TempCEHFiles anywhere in any drive like below:

C:\Program Files\Symantec\DataLossPrevention\DetectionServer\15.7\Protect\temp\TempCEHFiles\

or 

C:\TempCEHFiles\

Then paste this as a full location in the above step 2.